Re: Spam: Re: what to do it illegal activity found during pen-test

[Dotzero <dotzero () gmail com>]

On 6/4/06, Craig Wright <cwright () bdosyd com au> wrote:
> Hi,
> Actually, not reporting an offence may be an offence. Some examples
> include"
>
> Failure to report computer child porn is an offense in most countries.
>
> Reporting provisions under the US Patriot Act are just a start in the
> US.
>
> Reporting provisions in cases of material fraud apply in most countries
>
> Provisions for not reporting under the Cybercrime Act 2001 (Cwlth), and
> the provisions covering - computer-related forgery for example apply in
> Australia.
>
> There is the UK "Duties to Report and the Proceeds Of Crime Act 2002"
> "Section 330 of the Proceeds of Crime Act 2002 - Failure to disclose"
>
> In France there are offences that specifically punish failures to
> report, namely Articles 434-1, 434-2 and 434-3.
>
> Contracts do not allow privity in cases where the act is illegal. You
> can not exclude liability for not reporting a crime. You can agree
> procedures. "By choosing to carry out a profession, the individual is
> assumed to have chosen the responsibilities and duties that come with
> it" (Dr Rachael Stretch, Nottingham Trent University).
>
> So, "Unless there is immediate threat of danger to life or limb you do
> not report it to the police or anyone else" is not generally correct.
>
> Regards
> Craig

The original question did not present that the company was engaged in
criminal acts. What was stated was that you come across indications of
possible criminal acts during the course of a pen-test.

I have come across various issues during the course of my career
ranging from porn (including kiddie porn), fraud, and other illegal
acts. I have never had an instance where there has been a problem
because I reported it to the person at the company responsible for
security. Any reputable firm is going to take the right steps. There
may be a point where you are obliged to step forward to report an
incident to the authorities because the company has not/will not. That
is a different issue altogether.

I still stand by my original statements. Unless there is an immediate
threat to life or limb you should initially report the issue to the
person responsible for security at the company you have contracted
with. They may need to manage public relations aspects, human
resources, financial controls or any number of things. You are not
contravening any of the laws cited by notifying the company first (I
don't deal with individuals or small businesses) and providing them
the opportunity to manage the process.

Bypassing the company (except in extreme circumstances) you contracted
with is a guaranteed way to ensure that many prospective companies
will avoid dealing with you in the future.

I'm not saying you should never contact legal authorities. At many
large/medium companies (at least in the U.S.) you will find a varying
number of ex-fbi,secret service, and other LEO types in the security
staff. Note, I am not referring specifically to IT staff.

At the end of the day, everyone will approach the issue in their own
way. I'm on the client side (at this time) but I know that I wouldn't
use a pen-tester whom I have heard is a "cowboy". We deal with
multiple firms on the vendor side (pen-testing,audits,etc.) and over
time you come to know which people "get it" and which don't.

If a person isn't smart enough/discreet enough to figure out the risks
to my company of their blindsiding us then they aren't smart enough
for us to want to have them contracted to us. This isn't about fudging
or hiding on the part of the company. It's about managing the process
to minimize damage to the company while meeting the requirements of
the law and addressing the problem which has been turned up.

Most of the situations I have encountered (germane to this discussion)
have involved items turned up during the course of acquisitions (both
U.S. and international).

I had an informal chat about this thread with an AUSDA (Assistant U.S.
District Attorney) I know and he indicated that he hadn't heard of an
instance where an outside security contractor or vendor got nailed for
reporting to the security folks at an organization about something
like kiddie porn or fraud (not systematically being perpetrated by the
company itself) before going to the authorities (if the company did
not take steps to address the issue).

As usual, just my 2 cents.

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------